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Information  Systems  Audits 

Information  Systems  (IS)  audits  conducted  by  the  Legislative  Audit 
Division  are  designed  to  assess  controls  in  an  IS  environment. 
IS  controls  provide  assurance  over  the  accuracy,  reliability,  and 
integrity  of  the  information  processed.  From  the  audit  work, 
a  determination  is  made  as  to  whether  controls  exist  and  are 
operating  as  designed.  We  conducted  this  IS  audit  in  accordance 
with  generally  accepted  government  auditing  standards.  Those 
standards  require  that  we  plan  and  perform  the  audit  to  obtain 
sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for 
our  findings  and  conclusions  based  on  our  audit  objectives.  We 
believe  that  the  evidence  obtained  provides  a  reasonable  basis  for 
our  finding  and  conclusions  based  on  our  audit  objectives. 

Members  of  the  IS  audit  staff  hold  degrees  in  disciplines  appro- 
priate to  the  audit  process.  Areas  of  expertise  include  business, 
accounting,  education,  computer  science,  mathematics,  political 
science,  and  public  administration. 

IS  audits  are  performed  as  stand-alone  audits  of  IS  controls  or 
in  conjunction  with  financial-compliance  and/or  performance 
audits  conducted  by  the  office.  These  audits  are  done  under  the 
oversight  of  the  Legislative  Audit  Committee  which  is  a  bicameral 
and  bipartisan  standing  committee  of  the  Montana  Legislature. 
The  committee  consists  of  six  members  of  the  Senate  and  six 
members  of  the  House  of  Representatives. 
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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

We  conducted  an  Information  Systems  audit  of  the  Consolidated  Environmental 
Data  Access  and  Retrieval  System  (CEDARS).  The  Department  of  Environmental 
Quality  (DEQ)  operates  and  maintains  CEDARS  to  assist  in  the  administration  of 
environmental  and  facility  site  data  including  permits  and  fines.  The  focus  of  the  audit 
was  to  determine  the  success  of  the  migration  process  and  if  CEDARS  was  operating  as 
expected  in  maintaining  customer  records  and  generating  reports.  Security  controls  to 
maintain  the  integrity  of  CEDARS  data  were  also  reviewed  during  the  audit. 

Overall,  we  found  DEQ  has  controls  in  place  to  ensure  CEDARS  is  accurately  reporting 
environmental  and  site  data,  as  well  as  securing  access  to  CEDARS.  However,  we  did 
identify  areas  where  DEQ  can  improve.  As  a  result,  we  issued  two  recommendations 
relating  to  improving  system  development  by  implementing  best  practices  for  migration 
of  new  programs  into  CEDARS,  and  improving  business  continuity  of  CEDARS 
operations  by  implementing  a  disaster  recovery/business  continuity  plan. 

We  wish  to  express  our  appreciation  to  personnel  within  the  Department  of  Environmental 
Quality  for  their  cooperation  and  assistance. 


Respectfullysubmitted, 


Ton  Hunthausen,  CPA 
Legislative  Auditor 
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Report  Summary 

Consolidated  Environmental  Data 
Access  and  Retrieval  System 

The  Consolidared  Environmental  Data  Access  and  Retrieval  System  (CEDARS)  is 
a  computer  system  implemented  by  the  Department  of  Environmental  Quality 
(DEQ)  to  assist  in  the  administration  of  environmental  and  facility  site  data  including 
permits  and  fines.  CEDARS  development  began  in  2000  with  the  migration  of 
legacy  environmental  databases  into  a  single  integrated  system.  CEDARS  was  put 
into  production  in  2002.  To  date,  business  processes  for  five  legacy  applications  have 
been  migrated  into  sub-systems  within  CEDARS.  Additional  applications  will  be 
implemented  into  CEDARS  depending  on  funding  and  departmental  needs. 

Facility  site  data  stored  in  CEDARS  includes  permit  information,  client  contact  infor- 
mation, and  environmental  records.  The  data  and  functionality  of  CEDARS  is  used  by 
employees  from  multiple  departments  in  DEQ  to  maintain  business  records,  permits, 
fines,  and  a  multitude  of  environmental  data.  Reports  generated  from  CEDARS  data 
are  used  by  DEQ  personnel,  the  Environmental  Protection  Agency  (EPA),  and  the 
public. 

CEDARS  plays  an  important  role  in  the  maintenance  of  environmental  and  site  data. 
As  such,  it  is  imperative  the  system  is  accurately  storing,  processing,  and  reporting 
data.  In  consideration  of  this,  we  established  audit  objectives  to  determine  if  DEQ 
had  successfully  and  accurately  migrated  legacy  data  into  CEDARS  and  verify 
CEDARS  was  accurately  maintaining  customer  records  and  generating  reports.  We 
also  performed  audit  work  to  determine  if  security  controls  are  in  place  to  ensure  the 
integrity  of  CEDARS  data. 

Overall,  we  found  DEQ  has  controls  in  place  to  ensure  CEDARS  is  accurately  reporting 
environmental  and  site  data,  as  well  as  securing  access  to  CEDARS.  However,  we  did 
identify  areas  where  DEQ  can  improve.  This  report  includes  two  recommendations 
for  DEQ  relating  to  improving  system  development  by  implementing  best  practices 
for  migration  of  new  programs  into  CEDARS  and  improving  business  continuity  of 
CEDARS  operations  by  implementing  a  disaster  recovery/business  continuity  plan. 
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Chapter  I  -  Introduction 

Introduction 

A  critical  part  of  Department  of  Environmental  Quality  (DEQ)  program  administration 
is  maintenance  of  environmental  data.  To  assist  in  this  task,  the  agency  developed 
multiple  databases  and  systems  accommodating  data  within  the  various  programs. 
System  operations  include  management  of  water  quality,  air  quality,  hazardous  waste, 
as  well  as  a  multitude  of  other  environmental  permitting  programs.  At  peak,  175 
individual  databases  were  in  use  throughout  the  department. 

In  calendar  year  2000,  DEQ  began  an  effort  to  integrate  the  various  program  systems 
and  databases  into  a  single  Oracle  database  with  a  shared  web  application  used  to  access 
data.  This  project  was  named  the  Consolidated  Environmental  Data  Acquisition  and 
Retrieval  System  (CEDARS).  Based  on  DEQ  documentation,  management  intended 
to  integrate  all  individual  databases  into  CEDARS;  however,  according  to  current 
DEQ  management  further  integration  of  additional  databases  will  depend  on  funding 
and  departmental  needs.  CEDARS  was  first  placed  into  production  in  2002  as  an 
integrated  database  storing  information  for  sites  of  environmental  interest  to  DEQ. 
This  core  site  data  system  is  modeled  after  the  Environmental  Protection  Agency's 
(EPA)  Facility  Identification  Template  for  States. 

To  date,  DEQ  has  migrated  the  following  five  legacy  applications  into  subsystems 
within  CEDARS,  each  with  its  own  official  application  interface  requiring  a  valid 
username  and  password  to  access  the  subsystem: 

♦  Airs  (Air  Quality  Subsystem) 

♦  Enforcement/Legal 

♦  FITS  (Facility  Identification  Template  for  Sites) 

♦  lEM/EMB  (Industrial  and  Energy  Minerals  Bureau) 

♦  WUTMB  (Waste  and  Underground  Tank  Management  Bureau) 

The  official  application  interfaces  provide  access  to  appropriate  program  data  and 
functions  critical  in  maintaining  site  and  environmental  data.  The  multiple  subsystems 
and  associated  data  in  CEDARS,  including  these  five  programs,  all  reside  in  the  same 
database.  Figure  1  provides  a  visual  description  of  the  CEDARS  architecture. 
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Figure  1 
CEDARS  Architecture 
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Source:  Compiled  by  the  Legislative  Audit  Division. 


Audit  Objectives 

Multiple  interfaces  to  the  CEDARS  production  database  exist  allowing  users  to 
collect,  analyze,  review,  and  compile  reports  on  environmental  information.  There  are 
over  275  CEDARS  users  spread  across  all  divisions  within  DEQ.  One  of  the  critical 
functions  of  CEDARS  is  to  access  and  retrieve  data  records,  and  provide  environmental 
reports  used  by  DEQ  personnel,  the  EPA,  and  the  public.  Based  on  the  importance 
of  environmental  information  and  reliance  on  data  by  DEQ,  EPA,  the  Montana  State 
Legislature,  and  the  public,  our  audit  focused  on  the  security  and  integrity  of  data  in 
CEDARS. 


CEDARS  plays  an  important  role  in  the  maintenance  of  environmental  and  site  data. 
As  such,  it  is  imperative  the  system  is  accurately  storing,  processing,  and  reporting 
data.  Due  to  the  critical  role  of  the  system,  we  conducted  audit  work  to  address  the 
following  four  objectives: 

1 .  Verify  data  records  completely  and  accurately  migrated  into  CEDARS  from 
external  databases. 

2.  Verify  access  to  CEDARS  is  authorized  and  appropriate. 

3.  Verify  reports  output  by  CEDARS  are  accurate. 

4.  Ensure  DEQ  has  developed  a  plan  to  recover  CEDARS  in  the  event  of  an 
emergency  or  major  outage. 


Audit  Scope  and  Methodology 

DEQ  has  migrated  five  unique  program  applications  into  subsystems  within 
CEDARS.  The  scope  ot  our  audit  primarily  focused  on  the  integrity  of  data  within 
the  five  subsystems  including  accurate  migration  and  reporting  of  data.  In  addition, 
outside  influences  can  affect  system  operations  and  data  integrity.  Consequently,  we 
included  security  of  the  CEDARS  application  and  hardware  in  the  scope  of  this  audit. 
Specifically,  we  reviewed  user  access  to  CEDARS  and  plans  for  ensuring  continued 
operation  of  the  system  in  the  event  of  a  disaster  or  major  outage. 

Testing  of  CEDARS  functionality  and  controls  was  conducted  through  a  combination 
of  IT  staff  interviews,  review  of  agency  documentation,  observation  of  CEDARS 
processes,  and  extraction  and  analysis  of  CEDARS  data  using  a  computer  assisted 
audit  tool. 

This  audit  was  conducted  in  accordance  with  Government  Auditing  Standards 
pubhshed  by  the  United  States  Government  Accountability  Office  (GAO).  We 
evaluated  the  control  environment  using  state  law,  best  practices,  and  generally 
applicable  and  accepted  information  technology  standards  established  by  the  IT 
Governance  Institute. 

Audit  Overview 

Based  on  our  work,  we  conclude  DEQ  has  successfully  migrated  five  program 
subsystems  into  CEDARS,  including  successful  migration  of  data  records.  We 
identified  system  and  security  controls  in  place  to  maintain  CEDARS  data.  While 
these  controls  are  in  place,  we  identified  areas  in  the  development  of  CEDARS  where 
DEQ  could  improve.  Specifically,  system  development  best  practices  should  be 
implemented  to  ensure  continued  successful  migration  of  future  program  subsystems, 
including  documenting  cost  and  time  requirements  to  help  monitor  cost  efficiency.  In 
addition,  DEQ  can  improve  the  continuity  of  CEDARS  operations  by  implementing 
a  disaster  recovery  program.  The  remainder  of  this  report  discusses  our  findings  and 
recommendations. 
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Chapter  II  -  CEDARS  Development 

Introduction 

The  development  of  the  ConsoHdated  Environmental  Data  Access  and  Retrieval  System 
(CEDARS)  was  based  on  two  processes.  The  first  was  conversion  of  program  structure 
and  functionality  of  legacy  systems,  including  business  process  forms  and  reports, 
into  a  new  consolidated  Oracle  database.  The  second  process  involved  a  complete  and 
accurate  migration  of  program  data  into  the  new  database. 

During  the  inception  of  CEDARS,  a  management  decision  was  made  to  have  the 
conversion  process  performed  mostly  by  private  contractors,  while  the  migration  of 
program  data  was  to  be  performed  mainly  by  Department  of  Environmental  Quality 
(DEQ)  personnel.  The  decision  to  have  data  migrations  performed  internally  was  made 
in  order  to  keep  product  knowledge  and  expertise  in  the  department  to  help  expedite 
current  and  future  development.  Testing  by  DEQ  personnel  was  to  be  performed 
during,  and  at  the  end  of,  each  phase  of  migration  to  ensure  completeness. 

Our  first  objective  was  to  review  data  migration  documentation  to  ensure  all  data 
and  program  functionality  was  successfully  moved  from  legacy  program  databases 
into  CEDARS.  DEQ  established  migration  processes  for  each  program  converted 
to  CEDARS.  We  reviewed  the  CEDARS  migration  processes  for  consistency  and 
integrity.  During  our  review,  we  noted  DEQ  had  not  documented  its  processes  on  how 
migration  should  occur;  however,  migration  results  were  documented.  Audit  testing 
consisted  of  review  and  verification  of  results  to  ensure  complete  migration  of  data, 
business  processes,  database  structure,  and  functionality. 

Program  Structure  Conversion 

In  order  to  get  an  understanding  of  the  controls  over  the  process,  we  reviewed  existing 
documentation  from  three  of  the  five  subsystems  in  CEDARS.  For  each  migration, 
existing  documentation  of  the  original  program  structure  was  compared  with  the 
current  CEDARS  production  structure  to  ensure  formatting  rules  were  in  place  and 
tested  during  each  conversion.  Based  on  our  comparison,  existing  documentation 
supports  complete  conversion  of  two  of  the  three  subsystem  applications.  Even  though 
we  identified  a  lack  of  documentation  for  one  of  the  three  subsystems,  all  five  CEDARS 
subsystems  are  in  use. 

Since  documentation  was  incomplete,  we  further  reviewed  controls  to  determine  if 
DEQ  management  accepted  subsystem  conversion.  As  part  of  DEQ's  migration 
processes,  management  was  to  accept  the  conversion  before  migration  to  the  production 
environment  occurred,  so  we  would  expect  documentation  to  exist.  However,  we  found 
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management  acceptance  was  not  consistently  documented  nor  maintained  for  any  of 
the  migrations  we  reviewed. 

Program  Data  Migration 

In  order  to  determine  successful  migration  of  program  data  to  CEDARS,  we  reviewed 
the  controls  in  place  over  the  process.  During  development,  the  data  being  migrated 
needed  to  be  tested  to  ensure  it  migrated  to  the  new  structure  in  CEDARS  without 
being  lost.  This  process  took  multiple  attempts,  each  one  generating  a  report  with 
successes  and  errors  for  each  data  item.  A  report  with  no  errors  indicated  a  100  percent 
complete  migration  of  data.  Our  review  identified  final  reports  containing  errors, 
which  indicated  less  than  100  percent  data  migration. 

At  the  end  of  this  process,  DEQ  management  was  to  sign  an  acceptance  form.  This 
acceptance  indicated  either  100  percent  of  the  data  migrated  to  the  CEDARS  database 
structure  error  free,  or  management  accepted  less  than  100  percent  data  migration. 
However,  DEQ  did  not  retain  these  forms,  so  we  cannot  verify  management  accepted 
and  approved  CEDARS  data  migration. 

Historical  Databases  Maintained 

Because  there  was  incomplete  documentation  of  the  data  migration  process,  we  cannot 
verify  all  data  from  each  legacy  system  was  completely  transferred  to  CEDARS.  As  a 
result,  we  performed  work  to  identify  additional  procedures  which  would  ensure  critical 
program  data  has  not  permanently  been  lost.  After  conversion,  the  legacy  databases 
were  relocated  to  a  different  section  on  DEQ's  internal  network.  Access  to  the  legacy 
databases  was  retained,  only  for  database  administrators,  should  future  needs  arise 
requiring  recovery  of  historical  data. 


Conclusion 

Audit  work  determined  the  multiple  migration  processes  established  by  DEQ 
followed  similar  procedures  including  implementation  of  formatting  rules, 
testing  procedures,  exception  reports,  and  management  approval.  Due  to  lack 
of  documentation,  we  were  unable  to  verify  completeness  and  success  of 
CEDARS  migration. 


Implementation  of  Best  Practices 


The  Montana  Information  Technology  Act  (MITA)  outlines  state  law  for  system 
development.  MITA  laws  regarding  development  of  information  technology  resources 
state: 


"It  is  the  policy  of  the  state  that  the  development  of  information  technology  resources  in 
the  state  must  be  conducted  in  an  organized,  deliberative,  and  cost-effective  manner." 
(§2-17-505(2),  MCA) 

MITA  also  requires  agencies  to  develop  information  technology  plans  which  should 
include  a  life  cycle  cost  analysis  for  investments  in  new  projects  and  resources. 

(§2-17-524(l)(e),  MCA) 

The  State's  Chief  Information  Officer  has  established  new  policy  on  project  management. 
The  Project  Management  Interim  Policy,  approved  March  3,  2009,  establishes  the 
requirements  for  the  utilization  of  project  management  methodologies  as  defined  by  the 
State  of  Montana  Project  Management  Office.  In  addition  to  MITA  and  state  policy, 
best  practices  suggest  standard  system  development  organization  for  a  project  like 
CEDARS  should  include  a  feasibility  and  requirements  study,  requirements  definition, 
detailed  design,  programming,  testing,  installation,  and  post-implementation  review. 
During  our  audit,  we  were  unable  to  identify  documentation  verifying  DEQ  followed 
best  practices  when  developing  CEDARS.  While  MITA  and  policy  mentioned  above 
had  not  been  implemented  at  the  time  of  initial  CEDARS  development,  best  practices 
have  been  in  place  for  years.  If  current  project  management  practices  for  CEDARS 
development  followed  initial  documentation  practices,  DEQ  would  not  be  able  to 
confirm  compliance  with  state  law  or  policy. 

Review  of  the  existing  documentation  for  the  multiple  conversion  processes  revealed  use 
of  multiple  contractors  and  frequent  turnover  of  DEQ  personnel  during  development. 
According  to  DEQ  personnel,  the  amount  of  turnover  and  contracted  work  made 
it  difficult  to  organize  and  maintain  internally  created  and  contractor  provided 
documentation.  Existing  documentation  over  the  migration  process  includes  testing 
queries,  error  reports,  data  structure  tables,  and  other  files  specific  to  each  subsystem. 
Based  on  past  experience  with  constantly  changing  personnel  working  on  CEDARS 
conversion,  complete  and  consistent  documentation  will  help  DEQ  ensure  consistency 
with  future  migration  procedures. 

Project  management  best  practices  suggest  documentation  of  cost,  funding,  and  design 
methodology.  Audit  work  found  five  subsystems  have  been  developed  and  migrated 
into  CEDARS,  with  additional  subsystems  being  developed  in  the  future.  Based  on  our 
review,  DEQ  appears  to  be  working  to  ensure  data  integrity  is  maintained  and  system 
functionality  is  working  as  expected.  However,  DEQ  did  not  document  the  amount 
of  work  performed,  resources  required,  and  time  involved  to  complete  the  migration  of 
the  five  subsystems  currently  within  CEDARS.  As  a  result,  DEQ  cannot  provide  the 
overall  cost  and  time  spent  on  CEDARS  to  this  point,  or  the  additional  cost  required 
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to  fully  complete  CEDARS  migration.  Also,  DEQ  has  not  documented  its  processes  to 
ensure  future  migration  of  legacy  systems  into  the  CEDARS  environment  is  consistent. 
Because  migration  of  legacy  systems  and  data  into  CEDARS  is  an  ongoing  process, 
DEQ  should  implement  best  practices  and  document  the  process  to  ensure  a  complete 
and  consistent  transfer  and  acceptance  of  program  structure  and  data. 


Recommendation  #7 

We  recommend  the  Department  of  Environmental  Quality  comply  with 
system  development  law  and  policy  by  implementing  policy  for  migration  and 
documenting  all  steps  of  the  process. 


Chapter  Ml  -  Data  Security  and  Integrity 

Introduction 

System  and  security  controls  over  the  Consolidated  Environmental  Data  Access 
and  Retrieval  System  (CEDARS)  ensure  the  integrity  of  data,  business  processes, 
and  reports  generated  from  the  system.  These  controls  include  change  management 
tracking  software  with  audit  logging  and  management  acceptance  of  change;  user 
access;  system  edits  and  constraints  to  ensure  accurate,  consistent,  and  complete  data; 
and  a  process  to  detect  and  prevent  duplicate  data  records  in  the  database.  This  chapter 
discusses  our  findings  related  to  ensuring  CEDARS  data  integrity. 

Change  Management  Controls 

Even  if  DEQhas  maintained  the  integrity  of  CEDARS  data,  this  does  not  mean  the 
system  is  processing  data  to  meet  the  needs  of  DEQ  and  the  State.  There  should  be 
change  management  controls  in  place  to  ensure  CEDARS  functionality  is  working 
as  expected,  including  request,  development,  test,  and  approval  of  all  system  changes. 
DEQ  can  confirm  accurate  processing  and  add  needed  functionality  to  the  system 
via  its  change  management  process.  The  main  control  over  change  management  is 
DEQ's  Trackit  application.  Trackit  is  a  management  tool  used  to  maintain  a  record 
of  all  CEDARS  system  change  requests.  It  is  the  starting  point  for  all  change  requests 
including,  but  not  limited  to,  system  changes  such  as  granting  user  access,  correcting 
data  errors,  coding  fixes,  and  adding  program  functionality. 

In  order  to  complete  a  change  request,  appropriate  management  approval  is  required, 
which  is  documented  and  maintained  in  Trackit.  Review  of  the  controls  in  place  over 
this  process  were  performed  to  ensure  Trackit  is  working  as  intended,  and  as  such,  is 
ensuring  CEDARS  processing  has  been  requested,  developed,  tested,  and  approved 
prior  to  availability  to  DEQ  users. 


Conclusion 

Based  on  our  audit  work,  we  conclude  DEQ  has  implemented  change 
management  procedures  for  CEDARS. 


User  Access  Controls 

User  access  to  CEDARS  databases  was  reviewed  to  ensure  access  is  authorized,  appro- 
priate, and  based  on  job  responsibilities.  Access  to  CEDARS  is  limited  through  an 
internal  policy  of  least  privilege,  granting  a  user  only  enough  access  to  perform  their 
job  duties.  Request  forms  and  management  approval  for  access  are  stored  in  Trackit. 


09DP-01 


10 


Montana  Legislative  Audit  Division 


User  access  is  determined  by  groups  of  combined  access  called  packages.  There  are  a 
multitude  of  packages,  each  containing  policies  granting  access  to  various  programs  in 
CEDARS.  There  are  policy  packages  which  affect  all  CEDARS  users,  as  well  as  specific 
packages  developed  for  different  bureaus,  programs,  and  job  positions.  Audit  work 
reviewed  user  access  based  on  job  duties  and  subsystem  program  needs.  In  addition 
to  packaged  3iccess,  a  user  can  request  access  to  a  specific  aspect  of  CEDARS  such  as 
a  table,  form,  or  report  via  the  change  management  process  in  Tracklt.  Our  review  of 
CEDARS  access  determined  user  access  was  segregated  by  program  and  least  privilege. 
For  example,  an  employee  in  the  Enforcement/Legal  department  only  has  access  to 
Enforcement/Legal  tables,  forms,  and  reports  in  CEDARS. 


Conclusion 

Based  on  our  audit  work,  we  conclude  there  are  controls  in  place  to  ensure 
access  to  CEDARS  is  reviewed  and  authorized  by  management,  which 
ensures  appropriateness  for  all  users. 


Data  Entry  Controls 

Data  entry  controls  help  ensure  the  completeness  and  accuracy  of  data  in  CEDARS. 
There  are  multi-level  controls  over  CEDARS  data  entry,  including  system  edits, 
required  fields,  and  data  formatting.  System  edits  are  program  code  used  as  controls  in 
data  entry  and  processing.  Data  entry  fields  can  be  marked  as  required.  If  a  required 
field  is  left  blank,  the  control  will  halt  data  entry  processing  and  prompt  the  user  to 
enter  a  valid  value  in  the  required  field  in  order  to  continue.  Data  formatting  rules 
ensure  consistent  data  types  for  each  form.  For  example,  ensuring  a  phone  entry 
has  all  ten  numbers  and  only  numeric  characters.  Auditor  review  of  the  production 
environment  determined  controls  are  in  place  to  ensure  complete  and  accurate  entry 
of  data  into  CEDARS. 

Environmental  data  in  CEDARS  is  organized  by  site  and  stored  in  the  Facility 
Identification  Template  for  Sites  (FITS)  section.  When  entering  environmental  data 
into  CEDARS,  a  user  can  either  add  to  a  current  site  or  create  a  new  site.  Because  users 
from  multiple  programs  may  create  or  access  records  for  a  single  permit  holder,  there  is 
a  risk  duplicate  records  could  be  created  for  the  same  permit  holder. 

The  main  control  preventing  duplicate  entry  of  permit  holder  site  information  is  a 
two  part  process.  The  first  part  of  the  process  is  an  automated  system  edit  activated 
when  a  user  submits  permit  holder  site  data.  This  automated  script  checks  for  potential 
duplicates  by  comparing  the  submitted  site  information  with  current  CEDARS  data. 
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The  data  compared  includes  required  information  such  as  name,  address,  latitude 
and  longitude.  If  any  potential  duplicates  are  identified  they  are  listed  in  a  popup 
screen  pausing  data  entry.  The  user  then  reviews  the  popup  list  and  determines  if  the 
submitted  data  duplicates  a  current  site  in  CEDARS. 

The  second  part  of  the  process  relies  on  the  user's  determination  if  the  information 
being  entered  is  a  new  site.  If  it  is  a  new  site,  the  user  will  save  the  data  as  a  new  entry.  If 
user  analysis  determines  the  submitted  site  information  is  a  duplicate,  they  notify  the 
individual  who  submitted  the  original  site  information  and  work  to  merge  the  updated 
information  with  the  appropriate  record. 


Conclusion 

Based  on  our  audit  work,  we  conclude  controls  are  in  place  to  ensure  data 
entered  in  CEDARS  is  complete  and  accurate. 


Reporting  Controls 

Reports  generated  from  CEDARS  may  be  used  by  department  staff  and  management, 
state  and  federal  officials,  and  the  public.  Audit  work  was  performed  to  determine  if 
controls  are  in  place  to  ensure  the  accuracy  of  CEDARS  reporting. 

We  reviewed  two  aspects  of  reporting:  data  integrity  controls,  and  the  programming 
code  responsible  for  outputting  reports.  The  first  aspect  of  control  over  the  accuracy 
of  reporting  is  the  integrity  of  CEDARS  data.  Data  integrity  starts  with  data  entry 
controls,  continues  with  change  management  controls,  and  is  complete  only  when 
an  accurate  report  is  generated.  As  concluded  previously,  data  entry  and  change 
management  controls  are  in  place  to  help  ensure  data  integrity. 

Once  data  integrity  was  determined,  we  reviewed  the  programming  code  which 
generates  reports  from  CEDARS  data.  We  selected  a  judgmental  sample  of  standard 
reports  available  to  CEDARS  users  and  analyzed  the  programming  code.  Three 
standard  CEDARS  reports  were  analyzed  with  plans  to  increase  the  number  of  reports 
analyzed  if  errors  were  found. 

Analysis  included  review  of  the  data  tables  accessed  by  the  report  to  determine 
completeness  of  reported  data.  Once  the  data  tables  were  identified,  we  developed 
queries  to  generate  ad-hoc  reports  with  the  same  delineating  factors  as  the  three  standard 
CEDARS  reports  reviewed.  We  generated  reports  for  Air  Fees,  Methamphetamine 
Cleanup  Program,  and  Enforcement  cases.  Review  of  the  standard  report  output 
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compared  with  our  ad-hoc  queries  showed  a  100  percent  match  in  reported  data.  As  a 
result,  we  did  not  expand  our  analysis  to  include  additional  repons. 


Conclusion 

Considering  our  review  of  data  entry  controls,  change  management  controls, 
report  code  analysis,  and  report  comparisons,  we  conclude  controls  are  in 
place  to  ensure  standard  reports  are  accurately  reporting  CEDARS  data. 
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Chapter  IV-  Business  Continuity 

Introduction 

An  important  responsibility  of  the  Department  of  Environmental  Quality  (DEQ)  is  to 
maintain  the  availability  of  the  Consolidated  Environmental  Acquisition  and  Retrieval 
System  (CEDARS)  in  the  event  of  a  disaster  or  major  outage.  Availability  of  CEDARS 
data  is  critical  to  the  business  processes  of  multiple  programs  within  the  department. 
As  such,  any  long  term  outage  of  the  system  could  hinder  the  productivity  of  users 
who  rely  on  CEDARS  to  perform  their  daily  job  duties  resulting  in  a  higher  cost  for 
services  performed,  and  inconveniencing  both  the  department  and  permit  holders. 

There  are  a  number  of  events  that  could  occur  resulting  in  a  loss  of  CEDARS  operations. 
The  worst  case  scenario  would  involve  a  natural  disaster.  Events  such  as  earthquakes, 
flooding,  theft,  electrical  outages,  fire,  and  human  error  can  damage  critical  CEDARS 
components,  potentially  resulting  in  the  inability  to  process  environmental  data  for  the 
State. 

Disaster  Recovery/Business  Continuity  Plan 

State  law  regarding  security  responsibilities  of  departments  for  data  state:  "Each 
depanment  head  shall:  implement  appropriate  cost-effective  safeguards  to  reduce, 
eliminate,  or  recover  from  identified  threats  to  data."  (§2-15-114(3),  MCA)  In  addition, 
to  mitigate  the  damage  resulting  from  major  and  minor  disasters,  best  practices  suggest 
organizations  test,  implement,  and  maintain  a  disaster  recovery/business  continuity 
plan.  The  organization  should  develop  policies,  plans,  and  procedures  to  regain  access 
to  data,  workspace,  lines  of  communication,  and  critical  business  processes. 

DEQ  management  recognizes  the  need  for  a  disaster  recovery/business  continuity  plan 
as  an  important  aspect  of  business  operations.  DEQ  has  policy  in  place  addressing 
disaster  recovery  as  well  as  a  continuity  of  operations  plan.  The  recovery  of  CEDARS 
hardware  is  addressed  in  a  Service  Level  Agreement  (SLA)  with  the  Department  of 
Administration's  (DOA)  Information  Technology  Services  Division  (ITSD).  The  SLA 
states  ITSD  is  responsible  for  complete  restoration  of  hardware.  The  estimated  time 
frame  listed  in  the  SLA  is  a  range  of  one  day  to  eight  weeks.  It  also  states  customers 
are  responsible  to  ensure  agency  applications  and  databases  are  included  in  the  State 
disaster  recovery  plan.  While  the  SLA  provides  procedures  for  hardware  recovery,  a 
CEDARS  specific  step  by  step  plan  detailing  the  recovery  process  is  needed  in  order  to 
fully  recover  CEDARS.  Once  server  hardware  functionality  is  restored,  it  is  up  to  the 
department  to  follow  its  detailed  plan  to  restore  and  test  CEDARS  data  and  program 
code. 
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While  DEQ  also  has  a  continuity  of  operations  plan,  it  does  not  address  CEDARS 
specifically.  The  plan  lists  critical  functions  with  estimated  recovery  times,  but  it  does 
not  address  how  the  functions  will  be  recovered.  Additionally,  it  does  not  detail  work 
to  be  done  in  the  interim  between  service  interruption  and  recovery.  Without  a  detailed 
plan  providing  specific  steps,  DEQ  cannot  provide  an  estimated  time  frame  as  to  when 
100  percent  of  CEDARS  functionality  would  be  available  following  an  outage. 


Recommendation  #2 


We  recommend  the  Department  of  Environmental  Quality  develop  a  Disaster 
Recovery/Business  Continuity  Plan  specifically  defining  steps  for  recovering 
from  service  interruptions  to  the  Consolidated  Environmental  Data  Access 
and  Retrieval  System. 
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September  16,  2009 


Kent  Rice 

Information  Systems  Audit  Manager 
Room  160,  State  Capitol 
Helena,  MT  59620 

Dear  Mr.  Rice: 


RECEIVED 

SEP  1  7  200S 
LEGISLATIVE  AUDIT  DIV. 


I  have  received  and  reviewed  the  Information  Systems  audit  of  the  Consolidated, 
Environmental  Data  Access  and  Retrieval  System  (CEDARS).  Overall,  the 
results  of  this  audit  are  pleasing  and  I  would  like  to  express  my  appreciation  for 
you  and  your  staffs  hard  work  in  this  effort. 

Below  are  the  department's  responses  to  the  report's  recommendations. 

Recommendation  #1 : 

"We  recommend  the  Department  of  Environmental  Quality  comply  with 
system  development  law  and  policy  by  implementing  policy  for  migration 
and  documenting  all  steps  of  the  process." 

Response  #1 : 

The  department  concurs  with  this  recommendation.  Since  the  start  of  the 
development  process  for  this  application  much  has  changed  in  state  policy 
and  law  relative  to  IT  system  development  controls.  Even  though 
CEDARS  has  been  developed  and  deployed  successfully  we  are  not  able 
to  provide  adequate  documentation  that  describes  the  process  used, 
costs,  requirements,  or  in  house  resources  used. 

The  department  currently  has  a  formal  Project  Management  Methodology 
that  predates  the  state  ClO's  effort  sited  in  the  report.  Implementation  of 
that  methodology  has  been  slow  due  to  staff  turnover  over  the  past 
several  years  but  it  is  currently  being  used  for  all  IT  development  projects 
or  significant  IT  efforts.  We  believe  strengthening  this  practice  with  a 
department-wide  policy  that  requires  use  of  a  methodology  and  describes 
a  System  Development  Life  Cycle  will  ensure  adequate  documentation 
and  better  development  project  controls. 
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Recommendation  #2: 

"We  recommend  the  Department  of  Environmental  Quality  develop  a 
Disaster  Recovery/Business  Continuity  Plan  specifically  defining  steps  for 
recovering  from  service  interruptions  to  the  Consolidated  Environmental 
Data  Access  and  Retrieval  System." 

Response  #2: 

The  department  does  not  concur  with  this  recommendation. 

The  audit  report  states  that  the  Data  Base  Hosting  Service  Level 
Agreement  (SLA)  between  DOA/ITSD  and  DEQ  only  provides  "restoration 
of  hardware."  The  department  feels  this  interpretation  of  the  agreement  is 
incorrect.  The  agreement  clearly  outlines  the  use  of  back-up  schemes, 
restoration  of  data  bases  and  applications  from  backup  media,  and  use  of 
"ITSD's  Disaster  Recovery  Plan"  in  the  event  of  an  emergency.  The  audit 
report  states,  "Once  server  hardware  functionality  is  restored,  it  is  up  to 
the  department  to  follow  its  detailed  plan  to  restore  and  test  CEDARS." 
Although  the  department  agrees  that  DEQ  staff  will  have  to  verify  the 
system  is  restored  to  the  most  current  backed-up  version,  it  is  ITSD's 
responsibility  under  the  SLA  to  restore  our  databases  and  applications. 

Thus  the  department  feels  that  our  agreement  with  ITSD  clearly  provides 
full  recovery  of  CEDARS  information  and  functionality  in  the  event  of  a 
disaster. 

Please  contact  me  if  you  have  any  questions.  Thank  you  for  the  opportunity  to 
provide  our  responses. 

Sincerely, 


Richard  H.  Opper 
Director 


Linda  Atkins,  FS 


